asyncrat | cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63

General

Target

MV BMC ENDORA V0123- PDA.js
Size

128KB
MD5

3a084e6817bf9b361b8ff6618d767c09
SHA1

f27662987fd14d69523efec560e29c1d66a2a645
SHA256

cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63
SHA512

a49b1732ea52aff5cdf57b10ef8c46c5185805ed13a6d032b5cc0aa326a4101aa6744ac12732ed5f8c87e9ad39d8b7da8b31a4c2208eb79c97db6c9e94b0fd11
SSDEEP

3072:ool0yHnHmo2BPDf/DUGOxxVZh/O5kaUH02x2RVy:ogHmouPDf/DnYhmhPRVy

Score

10^/10

asyncrat vjw0rm default rat trojan worm

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

84.21.172.33:6606

84.21.172.33:7707

84.21.172.33:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Recycle Bin.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000022e22-135.dat	asyncrat
behavioral2/files/0x0007000000022e22-136.dat	asyncrat
behavioral2/memory/1972-137-0x0000000000BA0000-0x0000000000BB2000-memory.dmp	asyncrat
behavioral2/files/0x000400000000072b-145.dat	asyncrat
behavioral2/files/0x000400000000072b-146.dat	asyncrat

Blocklisted process makes network request 10 IoCs

flow	pid	Process
7	4768	wscript.exe
25	4768	wscript.exe
30	4768	wscript.exe
42	4768	wscript.exe
48	4768	wscript.exe
55	4768	wscript.exe
56	4768	wscript.exe
57	4768	wscript.exe
62	4768	wscript.exe
63	4768	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1972	AsyncClient.exe
224	Recycle Bin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AsyncClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4816	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2252	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe
1972	AsyncClient.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	AsyncClient.exe
Token: SeDebugPrivilege	224	Recycle Bin.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 4768	2812	wscript.exe	82
PID 2812 wrote to memory of 4768	2812	wscript.exe	82
PID 2812 wrote to memory of 1972	2812	wscript.exe	83
PID 2812 wrote to memory of 1972	2812	wscript.exe	83
PID 2812 wrote to memory of 1972	2812	wscript.exe	83
PID 1972 wrote to memory of 1540	1972	AsyncClient.exe	84
PID 1972 wrote to memory of 1540	1972	AsyncClient.exe	84
PID 1972 wrote to memory of 1540	1972	AsyncClient.exe	84
PID 1972 wrote to memory of 1760	1972	AsyncClient.exe	86
PID 1972 wrote to memory of 1760	1972	AsyncClient.exe	86
PID 1972 wrote to memory of 1760	1972	AsyncClient.exe	86
PID 1540 wrote to memory of 4816	1540	cmd.exe	88
PID 1540 wrote to memory of 4816	1540	cmd.exe	88
PID 1540 wrote to memory of 4816	1540	cmd.exe	88
PID 1760 wrote to memory of 2252	1760	cmd.exe	89
PID 1760 wrote to memory of 2252	1760	cmd.exe	89
PID 1760 wrote to memory of 2252	1760	cmd.exe	89
PID 1760 wrote to memory of 224	1760	cmd.exe	93
PID 1760 wrote to memory of 224	1760	cmd.exe	93
PID 1760 wrote to memory of 224	1760	cmd.exe	93

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4768
- C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
  "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA1F.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2252
  - - C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
      "C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

Filesize
48KB

MD5
1b5be7647628e1de782bb8f33d369dd3

SHA1
cd6e2f240ea97d03c6c796ab3573f728d6c30d9f

SHA256
fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903

SHA512
93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

Filesize
48KB

MD5
1b5be7647628e1de782bb8f33d369dd3

SHA1
cd6e2f240ea97d03c6c796ab3573f728d6c30d9f

SHA256
fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903

SHA512
93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA1F.tmp.bat

Filesize
155B

MD5
2547ecb37ec068cfecedbdf134b5a575

SHA1
012274179c2395a7ba9c0d67e38d1b4328eda6bd

SHA256
68bd9ecad3ece2a746c2880527cadaa72595c20962adcbacb32ae03db1e48903

SHA512
5813c436a2e100660d70c789504314d2b15cc3d8f1aa0ab21e7428951b27487cb4adb7d39b178e0fdea73300ad2c6c49bb4314b1ba6e950608d523794e30a4f4

Download Submit
C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js

Filesize
16KB

MD5
7586d9e4467d26fde97538eab36cf88c

SHA1
d7fcd37e0bc9e790023a38d2d470cd001f81ca92

SHA256
7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18

SHA512
02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

Filesize
48KB

MD5
1b5be7647628e1de782bb8f33d369dd3

SHA1
cd6e2f240ea97d03c6c796ab3573f728d6c30d9f

SHA256
fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903

SHA512
93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

Download Submit
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

Filesize
48KB

MD5
1b5be7647628e1de782bb8f33d369dd3

SHA1
cd6e2f240ea97d03c6c796ab3573f728d6c30d9f

SHA256
fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903

SHA512
93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

Download Submit
memory/224-147-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/224-148-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/1972-138-0x0000000005850000-0x00000000058EC000-memory.dmp

Filesize
624KB

Download
memory/1972-137-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads